1

Mac OS X Malware Vulnerabilities (November 2008)

Michael Grebenyuk, Albert Sodyl, Byron Thiessen, Sijia Wang

 and read by the operating system loader for that object format. Abstract—Mac OS X is commonly known to be a secure Various object formats exist, such as ELF, PE/COFF, and operating system however this is a misconception. Mac OS X Mach­O. does have security flaws and a proof­of­concept virus was created The Mach­O (Mach Object) object format is used by by the authors to exploit universal binary files. This virus infects other binaries on the system and captures private user data, operating systems based on the Mach kernel, such as emailing it to the attacker. There are several possible defence NeXTSTEP and Mac OS X. The Mach­O format provides strategies to defend against exploits such the one presented. These both intermediate and final storage of the machine code and include prevention using stricter access control with sandboxing, data. Features for dynamic linking were later added on top of and detection by various methods such as signature detection, the statically linked executable code at runtime, resulting in a change detection, and activity scanning. single file format that is both dynamic and statically linked.

The basic Mach­O file contains three major regions (Fig. 1). Index Terms—Computer security, computer viruses

I. INTRODUCTION PPLE advertises their Mac OS X operating system as A being very secure through their marketing campaigns. A quote from their website claims that it “delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions. Combined, this intelligent design prevents the swarms of viruses and spyware that plague PCs these days” [1]. As a result of this, and the lack of prevalent malware on the platform, many Macintosh users believe that Mac OS X really is secure. Advertisements such as the popular Mac vs. PC commercials only contribute to the hype, even for non­ Macintosh users. Therefore, most are oblivious to malware threats on Mac OS X. However, the security of Mac OS is a myth, as it has vulnerabilities just like other operating systems, and should exploits become more common, it would Fig. 1. Mach­O file format basic structure. The 3 main regions are header, significantly increase the risk of using a Mac OS X [2], [3]. load commands and sections. Each segment command has zero or more section commands associated with it. This project analyzes how effective the security of Mac OS X really is when it comes to malware, such as viruses and At the beginning of every Mach­O file is a header spyware. By presenting a working exploit in the form of a mach_header that identifies the file as a Mach­O type using a Mac OS X virus that does alarmingly malicious actions, we magic number 0xfeedface. The header also contains hope to gain the attention of Mac OS X users and provide information such as the CPU type, file type, total size of the insight on how Mac OS X is just as vulnerable as other load commands and various other flags that will affect the operating systems, and present strategies for defending against interpretation of the rest of the file. The mach_header such threats. structure is as follows: struct mach_header { II. BINARY FORMATS uint32_t magic; cpu_type_t cputype; A. Mach­O Format cpu_subtype_t cpusubtype; Operating systems use various object formats to store uint32_t filetype; uint32_t ncmds; executable code and their libraries and associated metadata. uint32_t sizeofcmds; They act as blueprints for mapping out processes images in uint32_t flags; }; memory. Object files are created by compilers or assemblers 2

Common CPU types supported include PowerPC (0x12) fat_header structure is big endian on both architectures, thus and x86 (0x7). CPU subtypes define specific models of forcing a byte swap on Intel machines. The fat_header processors and are usually 0x0 for PowerPC and 0x3 for Intel structure also contains information such as the archive offset binaries. which allows the loader to take the native binary required for Following the header are a series of load commands that certain types of architecture and run it as if it was a single specify the layout and linkage characteristics of the file. Mach­O. Because the native code is being run, it executes just struct load_command { as fast as a pure native Mach­O file. The only drawback to this uint32_t cmd; is the universal binary’s size. As mentioned before, universal uint32_t cmdsize; binaries are simply archives of two Mach­O files which }; generally are double in size of a single Mach­O. However, This structure specifies the initial layout of the file in virtual this drawback doesn’t affect the end user significantly since memory, the initial execution state of the main thread of the file storage sizes have grown an astounding amount. program as well as location of symbol tables and names of shared libraries. The most important load commands are III. INFECTING MAC OS X BINARIES LC_SEGMENT, LC_THREAD, and LC_UNIXTHREAD. In particular, LC_THREAD holds the initial state of the registers A. Concatenation Method when a thread starts, this load_command can be used to Apart from utilizing specific Mach­O binary features, a retrieve or modify the entry point of a thread. simple way of infecting binaries is with the concatenation The third section of the Mach­O is the Data section which is method. This method works by concatenating two Mach­O divided into one or more segments each containing zero or executable objects together. When the result is executed, only more sections pointed to by an LC_SEGMENT load command the first binary will “run”. To use this as an exploit, a binary (Fig. 1). Each segment defines a region of virtual memory that needs to be created that knows its own size and contains a the dynamic linker maps into and each section of a segment potentially harmful payload within. We will call this binary contains code or data of a particular type. Such information the ‘parasite’. To infect a host binary, it simply inserts itself in includes symbol tables and string tables. the beginning of the host binary. In other words, it B. Fat Binaries and Universal Binaries concatenates the host binary with itself, the copies itself to the location of the host binary, overwriting it. When the infected Multiple Mach­O files can be combined into a multi­ host binary executes, the parasite must seek to the end of itself, architecture binary. A binary file as such is also called a fat copy the rest of the binary, which is the host program, into a binary due to the increased size of the file. Fat binaries temporary file and execute it as a child process. Then it include machine code for multiple instruction set architectures executes whatever payload desired either before, during, or (ISAs) and thus can be run on multiple processor types. The after the host binary is run. [6] fat binary was developed by NeXT for their NeXTSTEP Such a method is trivial to implement in Mac OS X because operating system to allow Motorola 68k and Intel IA­32 based most binaries are writable and it is possible for a process to processors to run the operating system without making open a file descriptor to its own binary. Contrast this with separate versions. After Apple purchased NeXT in 1996, fat Linux where /proc/pid/mem must be used. The location of the binaries continued to be supported in Mac OS X, but it wasn’t temporary file does not matter for all but some Objective­C until Apple announced their transition to Intel processors in applications that use @executable_path where the temporary 2005 that they really took off. Fat binaries are not actually binary must reside in the same folder as it was originally in. binary files themselves but rather an archive of binaries. The arguments and environment must be passed unmodified Every fat binary starts with a structure fat_header similar to when executing the temporary file in a fork so the application that of a single Mach­O file which contains two unsigned has the illusion that its first argument (the location of the integers magic and nfat_arch. The magic number is similar to binary), has not changed. that in a Mach­O file since it also identifies the file as a fat binary archive. However, for a fat binary the magic number B. Resource Fork Method used is 0xcafebabe. The second unsigned integer is used to Mac OS X file system uses HFS+, a replacement for define how many Mach­O binaries are contained within the Apple’s Hierarchical File System(HFS). Each file on a HFS+ archive. In Mac OS X, fat binaries are used to support file partition has two forks, data and resource. To access a optimized codes for multiple variants of an architecture such file’s resource fork, the command /rsrc or as 32­bit and 64­bit PowerPC generations. /..namedfork/rsrc is used. To use this for an Later, Apple promoted the use of fat binaries through their exploit, one can copy the host binary into the resource fork of transition from PowerPC to Intel’s x86 architecture, giving fat the parasite file. The parasite file is then copied over top of the binaries the name “Universal Binary”. It is interesting to note original host binary, replacing it. When the new binary is that PowerPC is a big endian (higher order bytes stored at executed, it simply executes the payload section before or after lowest address) architecture, and Intel uses little endian (lower executing its resource fork. This gives the illusion of the host order stored in memory at the lowest address). However, the binary being run unmodified. 3

A limitation with this approach is that it only works with the The keychains in Mac OS X store all passwords and possibly HFS file system. Since much data is received from CDs, other sensitive data such as credit card numbers. The keychain DVDs, the internet, and non­Mac OS X servers, this approach is by default encrypted with the user’s login password. The could have difficulties spreading through certain mediums. login password is not captured by the virus, but easily could be Luckily, the built in archive utility for creating /extracting ZIP through key logging or reading unencrypted swap files as the files in Mac OS X supports preserving resource forks, as well root user. The captured information is then emailed to a as tar and other UNIX utilities when ran on a Macintosh specific email address. The virus does this every time an system. Similar constraints to arguments and environment infected application is run. variables exist for this method as with the concatenation B. Mechanism method. The way the virus works is quite simple. The virus binary is C. Hook Mach­O Entry or Exit Points compiled as a universal binary and inserted in the beginning of In the Mach­O binary, the entry point for the initial thread the desired binary to be infected manually. This is can be found in a LC_THREAD or LC_UNIXTHREAD load accomplished with a Perl script that compiles the virus code command. The struct for this command contains an additional once to get the resulting binary size, then modifies the source struct (cpu_thread_state state) that stores the initial state of code with the updated file size, and compiles it again. each register. A free tool called HTE Compilation is done with the help of the make utility and the can be used to manipulate object result is a binary that knows its own file size. The Perl script files and headers trivially, supporting code disassembly as then copies the virus code to a temporary file, appends the well. It can be used to view the srr0 field in the Mach­O desired host binary to it, and then overwrites the host binary header and modify it to the specified address of code with the temporary file. This process is known as virus code execution. Of course this can be automated to define the entry bootstrapping. Once the virus infected a living binary, it can point of parasite code or shellcode beginnings. then reproduce on its own. Since changed entry points can be easily detected by When the infected binary is run, the virus code’s main antivirus software, other entry points can be used. For function is executed. The virus starts by seeking to the end of example the __DATA,__mod_init_func sections for C++ itself and copying the rest of the binary, which is the applications can be used as hooks, of which that have been untouched host binary, to a temporary location. This location compiled with g++ can use __TEXT,__contructor and was originally in /tmp, but later revisions of the virus chose to __TEXT,__destructor sections, even if they don’t use them. use the same directory as the virus was in. The reason for this These can be used as entry or exit points and store malicious is that many Cocoa applications load dynamic libraries that code. These places make it difficult for antivirus software to expect them to be relative to the location pointed to by detect modified binaries since they look like valid code, @executable_path or in some cases for newer applications, compared to an LC_THREAD construct pointing to a strange @loader_path. The linker resolves these paths at runtime, and memory address. looks for dynamic libraries there. If the binary is moved away The approach used by the MachoMan virus uses from its application bundle (where frameworks, libraries, and LC_UNIXTHREAD to modify the EIP register (on Intel), to other resources are contained) the linker will not be able to jump to segments which contain no sections (like find the necessary libraries and the binary will fail to load. We __LINKEDIT and more importantly __PAGEZERO). This could not find a way to change @executable_path at runtime, makes code loaded into __PAGEZERO, which is usually not so the “hack” we used was to use the binary directory for the accessible by the loader, to be run. It provides sufficient room temporary location and keep the filename the same, but for malicious code and is invisible to the loader, making it append the PID (Process Identification) number to the harder to detect binary execution flow alterations. temporary file. C. Infection IV. FELCATOR VIRUS Once the temporary binary is written, the application A. Actions fork()’s, changes the permissions of the binary as necessary, The Felcator virus is a proof­of­concept virus for Mac OS X and runs it as a child process using the execve() system call. created by the authors of this paper. It is slightly more than As the host binary is running, the virus code proceeds to infect proof­of­concept as it does have a malicious payload. Using other targets. Originally, the code would infect all global the concatenation method, it recursively infects all universal applications (/Applications) and user applications binaries in the user’s Application directory (~/Applications) (~/Applications) about 95% of the time. The other 5% of the when executed. The payload shows a pop up dialog that the time it is run, it will scan the whole file system for binaries to file is infected, along with printing that message to stdout. It infect, including /bin, /sbin, /usr/bin, /usr/sbin, etc, and any also captures the user’s bookmarks, website history, recently network drives or other mounted file systems. For the sake of downloaded files list, information about the operating system easier testing and demonstration, the virus has been modified and network configuration, as well as all the user’s keychains. to only infect the user applications (~/Applications), leaving 4 the rest intact. The demo version also attempts to infect a executed. This easily allowed us to make a dialog box with binary named “test” in the current directory. AppleScript (osascript ­e ‘tell application “Finder” to display Finding binaries to infect is not a trivial task. Many Mach­ dialog “This application has been infected.”’), and collect user O binaries are non­executable shared or static libraries, and information with a combination of tar and mail commands. some system libraries are not writable to by default for any The creativity of a virus writer, however, never ends, and more user. The reconnaissance phase must also be very robust, interesting payloads could be invented to work with Felcator. because if the virus code crashes, the host application will go For example, Felcator could email itself to everyone on the down with it. Many system calls are used to find host binaries, infected user’s address book. so stealth will always be a challenge. E. Gaining Root Access with Roota For each specified directory, the virus uses the fts_read() system call to get a linked list tree of file paths in FTSENT As mentioned earlier, the virus gives up infecting files that it nodes. These nodes are then filtered for everything but regular does not have permissions to write to. This might include files. If the files have execute permissions by either the owner, system directories like /bin and /sbin since by default these are group, or world, the file is sent to the infection stage. owned by root. Note that all applications in /Applications are This stage tests if the file is large enough to be a universal writable by any admin user on the system, which by default is binary, and can be read in the first place. Only files that have the first user of Mac OS X. Most people run their operating read and execute permissions will be infected by the virus. It systems as administrators simply due to the fact it is the will try to set write permissions itself if it can, then restore the default. The safe defaults principle could very well apply permissions afterwards. The virus does not attempt to cover here. Any additional applications installed in /Applications its tracks by setting the modified date back to the original. and ~/Applications are writable by the person that installed To determine if the virus is a universal binary, it tries to them, making write permissions even more open. read the fat_header of the file and check the magic number However, if you are a non­admin user on a Mac OS X (Section II.B). If the virus is running on a little endian system, it would be much easier for the virus to spread if it machine, it will also need to byte swap the fat_header to read could gain root access. Enter Roota, a local root exploit for it. If the magic number matches, and the number of Mac OS X using a vulnerability in pppd that is installed by architectures is less than 20 (a hack for possible Java binary default in Mac OS X. Details on how the exploit works will conflicts), we agree that it is a universal binary. not be covered in this paper to length constraints. However, We then use a little hack by seeking to byte 0x1000 where the basis of the exploit is that it creates a malicious pppd the mach_header of the first architecture is usually stored plugin that starts a root shell, and loads the plugin in such a (Section II.A). This value was based on experimentation, but way that gets around pppd’s check to make sure the stdin sources suggest that it is static unless the fat archive contains descriptor is owned by root. The pppd binary is setuid, and many Mach­O binaries that wouldn’t fit into the 0x1000 thus executes with root privileges. boundary [7]. At this offset, the mach_header is read and Apple has since patched this flaw with a security update, but checked for its magic value, MH_MAGIC or MH_CIGAM for it serves as a demonstration on how an up­to­date system a few little endian machines. If these tests are successful, we make months ago could be vulnerable to such an attack. Using root sure the binary is an executable by checking the privileges Felcator could infect all binaries on the system. mach_header.filetype field for MH_EXECUTE or F. Demonstration MH_EXECUTE << 24 on little endian machines. Here is a demonstration with some output snipped: These checks are continued (e.g. make sure binary is not $ make already infected, etc) until the binary can be copied to a gcc parasite.c ­g3 ­arch ppc ­arch i386 ­o psite gcc host.c ­g3 ­arch ppc ­arch i386 ­o host temporary location in /tmp, overwritten with the contents of $ file host the virus, and the original appended to the virus from the host: Mach­O universal binary with 2 architectures temporary location. All this is done by using the file host (for arch ppc): Mach­O executable ppc host (for arch i386): Mach­O executable i386 descriptor of the running infected binary to read from itself. $ ./host Permissions can be a problem, which the virus tries to get Hello, I am the host binary. around by setting permissions manually, but if this fails, the $ cp /bin/ls test /bin/ls ­> test virus gives up infecting the target and moves onto the next $ file test one. Using this method the virus infects all universal binary test: Mach­O universal binary with 2 architectures applications, and once it has finished, it executes its payload. test (for arch i386): Mach­O executable i386 test (for arch ppc): Mach­O executable ppc $ ./infector.pl host D. Payload [+] Infecting file: ( host ). The payload is up to the virus implementer. As discussed in [+] Using file size: ( 0x120d8 ). [+] File Successfully infected. Section A, the virus prints messages and collects user data and $ ./host emails it. Most of this is done with the system() call. This Infecting 'test' invokes the command shell (/bin/sh) with the specified Hello, I am the host binary. Infected 'test' commands to run, effectively enabling shell scripts to be file infected. 5

$ ./test System folder which contains the essential components of OS File 'test' already infected, skipping file infected. X. The root account is disabled by default and can be activated Makefile a.out host.c by an administrator. parasite.c psite A possibly dangerous property in Mac OS X is the fact that host infector.pl payload.c test $ when the system is first initialized, the first account is created as a member of the admin group which has write access to G. Purpose many binaries files on the system. If a user in the admin group Felcator demonstrates that Mac OS X is vulnerable, as any executed our malware by accident it could infect a large other modern operating system with privilege separation, is to number of files because of the default permissions. A way to virus attacks. Not only are these virus attacks proof­of­ solve this problem is to adjust the OS to require the user to concept, but by showing that malicious acts can be malicious create two accounts upon loading the OS for the first time, one we realize that they are a real threat. Gaining all the user’s administrator account and one standard account. All saved passwords and internet history simply by running a application installation and system modification could be done malicious program unknowingly can cause a lot of damage. in the admin account and everything else could be done in the Many users have been trained to click accept when Safari normal account which would not have permission to write to prompts them if they are downloading an application. The any binary files. Using this method would be utilizing the response will only be natural when a malicious program asks “least privilege” design principle. Another important principle to be downloaded. Even though user interaction is required to to consider when making this change is “psychological spread the Felcator virus, it is not out of the ordinary to rely on acceptability” because the reason why two accounts are user interaction as it is how a lot of malware spreads on other required should be clearly explained to the user. platforms, particularly Microsoft Windows XP. B. Sandboxing V. DEFENSE STRATEGIES Another prevention method is a technique called The preceding sections showed how universal binaries in sandboxing. Sandboxing provides a tightly­controlled set of Mac OS X can be compromised and exploited to malicious resources for programs to run in, such as scratch space on disk ends. We will now investigate how to defend against such an and memory. By setting a default sandbox for unknown attack. There are two basic defense strategies we will consider: programs, we could make sure that unknown programs could prevention, and detection. We will deal with these two write only to a specified area of the disk and could not write categories separately. Please note that the recommendations in outside of that. This way, there is no chance that our exploit this section are based on Mac OS X version 10.4 (Tiger). could write to a binary file even if the current user has write Version 10.5 was released during our work on this project. access to it. Another way sandboxing could be useful is to sandbox known programs so if they do get compromised by A. Prevention Using Stricter Access Control our exploit, the resources the exploit can access will be limited Prevention means not letting the exploit occur in the first to the host program’s sandbox. Sandboxing is based on the place and this can be accomplished by utilizing the “least “least privilege” principle of designing secure systems. It also privilege” principle of designing secure systems. Mac OS X is utilizes the principle of “defense in depth” because it is an based on the UNIX operating system and has the same access extra layer of access control on top of the user privilege access control model. This model is a discretionary access control control. model which uses access control lists where every file on the system has read, write, and execute privileges assigned to it for VI. DETECTION METHODS various users and groups. If the prevention methods fail and a binary file does get Our exploit has the option of using the pppd vulnerability to infected with our exploit, then it should be detected and gain root access but if the target is not vulnerable, it tries to removed. The tricky part of this is detection because once it is infect binaries using whatever level of access the account in detected then it should be fairly easy to remove. Our exploit which it is running has. If the account that it is running in has could be detected using signature detection, change detection, write access to many binary files then the malware can infect activity scanning or by making mach­o files more secure by many applications. redesigning the header. All virus detection methods attempt to In Mac OS X there are three types of accounts: standard, ensure the integrity of software because they are designed to administrator, and root. A standard account can only affect the detect code that should not be there. They also indirectly files in his/her home folder. An administrator account has attempt to ensure confidentiality and availability by detecting more access than a standard account and can not only affect malicious software that might harm the confidentiality or the home folder, but also the Applications folder where availability of data. For example, if a virus is designed to applications are installed and the Library folder which contains perform a denial of service attack then a virus scanner would application and OS related support files. The root account can be ensuring data availability by detecting and removing the only be accessed from an admin account and has ultimate virus. Similarly, if a virus was designed to steal credit card powers in the system. This includes the ability to affect the numbers and email them to some email address then a virus 6 scanner that detected it would be ensuring the confidentiality programs and reports any suspicious behavior. It may, for of the data. example, detect any calls to format the disk that were not made by the OS. It may also detect a program tying to modify or A. Signature Detection change binary files because this type of behavior is unusual. One possible way to detect if a binary has been infected Programs other than installers usually only modify data files with our exploit is called signature detection. In this case, the and not executables. An activity based scanner would be signature will be a string of bits found in the malicious portion effective against our exploit because it is an application that of binary that was changed. All of the binaries on the system tries to modify binary files and once it infects a binary file, it could then be scanned looking for the signature. The signature uses the host program to infect other binary files. For example, string would have to be of sufficient size as to minimize false if our exploit infected a word processor, then it would use it to positive matches. Two advantages of this method are that it is infect other binaries. An activity based scanner would monitor simple to implement and it provides specific identification of the activity of the word processor and alert the user if the word viruses. A disadvantage is that information about the exploit processor tried to write to an executable file. A similar type of must be known in order to create a signature to scan for. scanner to an activity based scanner is a heuristic scanner. Another disadvantage is that if a signature was created for the Instead of monitoring activity it looks for suspicious sections exploit, the exploit’s creators could make subtle changes in the of code that are generally found in viral programs. For exploit’s code such as redundant or useless code that wouldn’t example, a heuristic scanner might scan for code in a program change its functionality but would change its signature. In this that looks for other program files. A big advantage of activity way, the malware creator could compile many versions of the based and heuristic scanners is that they can scan for unknown exploit all with different signatures and a signature scanner viruses. The scanner does not need to know the exact nature of would have to have a different signature for each different a virus because it will detect it as long as it does some kind of version. For example, Trudy could have the source code for a general suspicious thing that the scanner is programmed to working virus but a signature has already been created to catch. A big disadvantage is that it is difficult to define bad detect the virus. She could then go back to the source code, behavior that a virus does but a legitimate program never does. create a variable called ‘x’, and then every fourth line insert Nevertheless, activity and heuristic scanners still remain useful the line of code “x = 1”. If the variable ‘x’ was not used in the tools. previous version of the virus then this change would not affect the functionality of the virus but it would affect the compiled D. Improve the Mach­O Format machine code for the virus and would very likely change its A third way to detect our exploit would be to modify the signature. She could then go back and change the additional design of the Mach­O file header to include the program lines to “x = 2” and compile a third unique version. This way length. This would be specified as an offset value. Since our she could create any number of unique viruses that all have the exploit concatenates itself to the end of existing binaries, it same functionality but different signatures. modifies the length of the binary. If the length had been specified in the header, then the OS could generate a warning B. Change Detection if the system executed code at an address that the OS thought Another way to detect our exploit is to use change detection. was the exit point of the program but the program did not exit. Change detection can be accomplished by computing a hash of Of course the malware could simply write over information in every binary file on the system. Then, at regular intervals, the the header file and change the exit point so the header would hashes are recomputed and compared to their original values. have to be signed and checked whenever the program is run. The main advantage of this method is that there are virtually This detection method would be effective but difficult to no false negatives so if a file has been infected it will definitely implement since it involves changing the format of Mach­O be detected. This method also has several disadvantages. First, files. the original hash file must be computed before the infection occurs. If the binary is infected before a hash of the uninfected VII. CONCLUSION file is computed, then change detection will reveal nothing. Apple’s Mac OS X operating system is just as vulnerable to Another disadvantage comes from the fact that binary files on virus attacks as other operating systems. The fact that it has a system do change for legitimate reasons like when they are not been a major target for attackers could change as Mac OS updated. For this reason, a change detection scan would likely X is becoming more popular. And the fact that there are not as come up with numerous false positives which would place a many viruses for Mac OS X as there are for other platforms heavy burden on the user to sort through them. It is also does not reduce the severity of the threats that could be conceivable that a binary file could be infected shortly after it realized. It is therefore advised for Mac users to watch what was updated for legitimate reasons and the infection would not they’re downloading and running. Having antivirus software be detected. with change detection and heuristic activity scanning would C. Activity and Heuristic Scanner help reduce the risk, as well as running sandboxed and signed An activity based virus scanner monitors the activity of applications. Hopefully we will see improvements to Mach­O in the future that will make it harder to infect applications. 7

REFERENCES [1] Apple (2007, October) Mac OS X Security [Online]. Available: http://www.apple.com.sg/macosx/features/security [2] J. Jones. (2007, June 18) Days of Risk in 2006: Client OS Products [Online]. Available: http://blogs.csoonline.com/node/365 [3] J. Jones. (2007, June 13) Days of risk in 2006: Linux, Mac OS X, Solaris and Windows [Online]. Available: http://blogs.csoonline.com/days_of_risk_in_2006 [4] M. Muthanna. (2006, March 26) How OS X Executes Applications [Online]. Available: http://0xfe.blogspot.com/2006/03/how­os­x­ executes­applications.html [5] R. G Biv. (2006, October) Infecting Mach­O Files [Online]. Available: http://vx.netlux.org/lib/vrg01.html [6] N. Archibald. (2004, November 18) Infecting the Mach­O Object Format [Online]. Available: http://felinemenace.org/~nemo/slides/mach­ o_infection.ppt [7] Jon. (2006, June 9) Mach­O and Universal Binaries [Online]. Available: http://hohle.net/scrap_post.php?post=197 [8] iDefense Labs. (2007, May 24) Public Advisory [Online]. Available: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537 [9] Wikipedia (2007, October 25) Universal Binary [Online]. Available: http://en.wikipedia.org/wiki/Universal_binary, [10] Wikipedia (2007, October 24) Fat Binary [Online]. Available: http://en.wikipedia.org/wiki/Fat_binary#Mach­O_and_Mac_OS_X [11] J. Hohle (2006, June 9) Mach­o and Universal Binaries [Online]. Available: http://hohle.net/scrap_post.php?post=197 [12] N. Dhanjani. (2004, June 27) New (local) Mac OS X vulnerability: Passwords in Swap files [Online]. Available: http://www.oreillynet.com/onlamp/blog/2004/06/new_local_mac_os_x_ vulnerabili.html [13] Wikipedia (2007, October 14) Mach­O [Online]. Available: http://en.wikipedia.org/wiki/Mach­O [14] A. Adams of Symantec. (2006, November 13) DeepSight Threat Management System: Research Report [Online]. Available: http://downloads.securityfocus.com/downloads/MacOSX_DeepSight_R eport.pdf